authorio 0.8.1 → 0.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 415f389a073c49afa82e47fc8caa28fb66d5586cc81758f63e4840f953fb7950
-  data.tar.gz: 6184be72a5c9f999984c33d6b24e4bd09ea6f0a15469512df70c833610477a69
+  metadata.gz: b69bae6ee41c0e027922f5bc07b2bc61c72c86026a8e42eee97366453858af43
+  data.tar.gz: 496cb0ada5d2802e789b34e28ed21dc320b4ce76c9b9036b705ea8f7219efa8a
 SHA512:
-  metadata.gz: fbfd300b93d372aa86257b484164be9944ce7950ebc91bfff3a1fe585f858e618e9dee0afbca33ea07953a8aea35b9c79f90cbca6b87e2b78e393cd7e1b9d810
-  data.tar.gz: ea5e5f5b850d0c88be5dfe2fbfd75abb747625059d544bfbd1988076a3c259bc69db8781036e4ad33d8a7d00f23577e06cc8402d11d0d126080334156048f9f1
+  metadata.gz: 9a361fbec959948621257d111de2af8256fc23fee38be56660c66b5b68b8f80972660317ac06d997c93cd28b62406387089a67110894d09acdf34d60e2b8635c
+  data.tar.gz: a887161dd53aedea2527d1678db6fc6cd7c7d22aff6631442cde63d61d4f6093f29c08bcab8ef20c278d255e247eb5fcb8c5be549ced931f81ac2954e8d1c7fe

data/README.md

@@ -106,6 +106,31 @@ will be logged in!
 When you installed Authorio it placed a config file in `config/initializers/authorio.rb`. If you want to change
 one of the defaults you can uncomment it and specify it here.
 
+### Mount Point
+
+Most Rails engines are mounted via `mount Authorio::Engine, at: mount_point`. But Authorio needs to know its own
+mount point (to specify its url in the header tag) so you specify the mount point here. The default `authorio`
+should work for everyone.
+
+### Authorization and Token Endpoint
+
+These endpointd are given to servers via discovery. The default values should suffice.
+
+### Token Expiration
+
+If a client asks for an authentication token, the token will be valid for this length of time, after which
+you will have to re-authenticate. Longer-lasting
+tokens can possibly be a security risk. Default is 4 weeks.
+
+### Local Session Lifetime
+
+Setting this to a time interval will enable you to authenticate without typing in your password. It enables a
+"remember me" chekbox on the authentication form. If you check that, then enter your
+password once, then your session will be saved in a cookie, and any time you are asked to authenticate again,
+you can just click "Sign In" without your password. It can be a security risk if someone else has access to
+the machine you are using to login with (eg your laptop). Obviously you don't want to check "remember me"
+on a public-access computer. Default is *nil* (disabled)
+
 ### TODO
 
 - [ ] Customizing the authentication view/UI

data/app/assets/stylesheets/authorio/auth.css

@@ -27,7 +27,7 @@ div.authorio-auth {
 	margin-left:  1.2em;
 }
 
-.authorio-auth input {
+.authorio-auth input:not([type='checkbox']):not([type='submit']) {
 	margin: 0 1em 1em 1em;
 	width:  90%;
 }
@@ -39,3 +39,25 @@ div.authorio-auth {
 .authorio-auth input.btn {
 	margin-top: 2em;
 }
+
+.auth-btn-row {
+	margin: 1em;
+	width: 90%;
+}
+
+.authorio-auth .auth-btn-row .auth-btn {
+	width: 45%;
+	margin: 0.1em;
+}
+
+.authorio-auth .auth-btn-row .auth-btn:last-child {
+	float: right;
+}
+
+span.r-m {
+	font-weight: 200;
+}
+
+label.remember {
+	margin-top: -1em;
+}

data/app/controllers/authorio/auth_controller.rb

@@ -2,84 +2,103 @@ module Authorio
   class AuthController < ActionController::Base
     require 'uri'
     require 'digest'
+    layout 'authorio/main'
 
-    protect_from_forgery except: [:send_profile, :issue_token, :authorize_user]
+    # These API-only endpoints are protected by code challenge and do not need CSRF protextion
+    protect_from_forgery with: :exception, except: [:send_profile, :issue_token]
+
+    rescue_from 'Authorio::Exceptions::SessionReplayAttack' do |exception|
+      redirect_back_with_error "Session Replay attack detected. This has been logged."
+      logger.info "Session replay attack detected!"
+      Authorio::Session.where(user: exception.session.user).delete_all
+    end
 
     def authorization_interface
       p = auth_req_params
       p[:me] ||= "#{host_with_protocol}/"
-
-      user = User.find_by! profile_path: URI(p[:me]).path
-      @user_url = p[:me] || user_url(user)
+      @user = User.find_by! profile_path: URI(p[:me]).path
 
       # If there are any old requests from this (client, user), delete them now
-      Request.where(authorio_user: user, client: p[:client_id]).delete_all
+      Request.where(authorio_user: @user, client: p[:client_id]).delete_all
 
       auth_request = Request.new.tap do |req|
         req.code = SecureRandom.hex(20)
         req.redirect_uri = p[:redirect_uri]
         req.client = p[:client_id] # IndieAuth client_id conflicts with Rails' _id foreign key convention
         req.scope = p[:scope]
-        req.authorio_user = user
+        req.authorio_user = @user
       end
       auth_request.save
       session[:state] = p[:state]
       session[:code_challenge] = p[:code_challenge]
+      session[:client_id] = p[:client_id]
+      @user_logged_in_locally = !user_session.nil?
+      @rememberable = Authorio.configuration.local_session_lifetime && !@user_logged_in_locally
 
     rescue ActiveRecord::RecordNotFound
-      flash.now[:alert] = "Invalid user"
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+      redirect_back_with_error "Invalid user"
     end
 
     def authorize_user
       p = auth_user_params
-      user = User.find_by! profile_path: URI(p[:url]).path
-      auth_req = Request.find_by! client: p[:client], authorio_user: user
-      if user.authenticate(p[:password])
-        params = { code: auth_req.code, state: session[:state] }
-        redirect_to "#{auth_req.redirect_uri}?#{params.to_query}"
-      else
-        flash.now[:alert] = "Incorrect password. Try again."
-        redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+
+      if params[:commit] == "Cancel"
+        redirect_to session[:client_id] and return
+      end
+
+      user = authenticate_user_from_session_or_password
+      if p[:remember_me]
+        cookies.encrypted[:user] = {
+          value: Authorio::Session.create(authorio_user: user).as_cookie,
+          expires: Authorio.configuration.local_session_lifetime
+        }
       end
+
+      auth_req = Request.find_by! client: session[:client_id], authorio_user: user
+      params = { code: auth_req.code, state: session[:state] }
+      redirect_to "#{auth_req.redirect_uri}?#{params.to_query}"
+
     rescue ActiveRecord::RecordNotFound
-      flash.now[:alert] = "Invlaid user"
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+      redirect_back_with_error "Invalid user"
+    rescue Authorio::Exceptions::InvalidPassword
+      redirect_back_with_error "Incorrect password. Try again."
     end
 
     def send_profile
-      begin
-        render json: { 'me': user_url(validate_request.authorio_user) }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      render json: { 'me': user_url(validate_request.authorio_user) }
+    rescue Authorio::Exceptions::InvalidGrant
+      render invalid_grant
     end
 
     def issue_token
-      begin
-        req = validate_request
-        raise Authorio::Exceptions::InvalidGrant.new if req.scope.blank?
-        token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
-        render json: {
-          'me': user_url(req.authorio_user),
-          'access_token': token.auth_token,
-          'scope': req.scope,
-          'token_type': 'Bearer'
-        }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      req = validate_request
+      raise Authorio::Exceptions::InvalidGrant.new if req.scope.blank?
+      token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
+      render json: {
+        'me': user_url(req.authorio_user),
+        'access_token': token.auth_token,
+        'scope': req.scope,
+        'expires_in': Authorio.configuration.token_expiration,
+        'token_type': 'Bearer'
+      }
+    rescue Authorio::Exceptions::InvalidGrant
+      render invalid_grant
     end
 
     def verify_token
       token = Token.find_by! auth_token: bearer_token
-      render json: {
-        'me': user_url(token.authorio_user),
-        'client_id': token.client,
-        'scope': 'token.scope'
-      }
-      rescue ActiveRecord::RecordNotFound
-        head :bad_request
+      if token.expired?
+        token.delete
+        render token_expired
+      else
+        render json: {
+          'me': user_url(token.authorio_user),
+          'client_id': token.client,
+          'scope': 'token.scope'
+        }
+      end
+    rescue ActiveRecord::RecordNotFound
+      head :bad_request
     end
 
     private
@@ -94,7 +113,7 @@ module Authorio
     end
 
     def auth_user_params
-      params.permit(:password, :url, :client)
+      params.require(:user).permit(:password, :url, :remember_me)
     end
 
     def host_with_protocol
@@ -109,6 +128,10 @@ module Authorio
       { json: { 'error': 'invalid_grant' }, status: :bad_request }
     end
 
+    def token_expired
+      { json: {'error': 'invalid_token', 'error_message': 'The access token has expired' }, status: :unauthorized }
+    end
+
     def code_challenge_failed?
       # For now, if original request did not have code challenge, then we pass by default
       return false if session[:code_challenge].nil?
@@ -137,5 +160,25 @@ module Authorio
       header.gsub(bearer, '') if header && header.match(bearer)
     end
 
+    def user_session
+      cookie = cookies.encrypted[:user] and Session.find_by_cookie(cookie)
+    end
+
+    def redirect_back_with_error(error)
+      flash[:alert] = error
+      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+    end
+
+    def authenticate_user_from_session_or_password
+      session = user_session
+      if session
+        return session.authorio_user
+      else
+        user = User.find_by! profile_path: URI(auth_user_params[:url]).path
+        raise Authorio::Exceptions::InvalidPassword unless user.authenticate(auth_user_params[:password])
+        return user
+      end
+    end
+
   end
 end

data/app/{controllers/authorio/helpers.rb → helpers/authorio/tag_helper.rb}

@@ -1,6 +1,6 @@
 module Authorio
   # These helpers are provided to the main application
-  module Helpers
+  module TagHelper
     extend ActiveSupport::Concern
 
     included do
@@ -10,8 +10,8 @@ module Authorio
     end
 
     def indieauth_tag
-      %Q[<link rel="authorization_endpoint" href="#{URI.join(root_url, Authorio.authorization_path)}">
-        <link rel="token_endpoint" href="#{URI.join(root_url, Authorio.token_path)}">].html_safe
+      tag(:link, rel: 'authorization_endpoint', href: URI.join(root_url, Authorio.authorization_path)) <<
+      tag(:link, rel: 'token_endpoint', href: URI.join(root_url, Authorio.token_path))
     end
   end
 end

data/app/models/authorio/session.rb

@@ -0,0 +1,40 @@
+module Authorio
+  class Session < ApplicationRecord
+    # Implement a session cookie store based on best security practices
+    # See: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
+    belongs_to :authorio_user, class_name: "::Authorio::User"
+
+    # 1. Protect against having database stolen by only storing token hashes
+    attribute :token   # This will not be persisted in the DB
+    has_secure_token
+
+    before_create do
+      self.expires_at = Time.now + Authorio.configuration.token_expiration
+      self.selector = SecureRandom.hex(12)
+      self.hashed_token = Digest::SHA256.hexdigest self.token
+    end
+
+    # 2. To guard against timing attacks, we lookup tokens based on a separate selector attribute
+    #    and compare them using a secure time-constant comparison method
+    def self.find_by_cookie(cookie)
+      _selector, _token = cookie.split(':')
+      session = find_by selector: _selector
+      raise Authorio::Exceptions::SessionReplayAttack.new(session) unless session.matches_cookie?(cookie)
+      session
+    end
+
+    def matches_cookie?(cookie)
+      _selector, _token = cookie.split(':')
+      _hashed_token = Digest::SHA256.hexdigest _token
+      !expired? && ActiveSupport::SecurityUtils.secure_compare(_hashed_token, hashed_token)
+    end
+    
+    def expired?
+      return expires_at < Time.now
+    end
+
+    def as_cookie
+      "#{selector}:#{token}"
+    end
+  end
+end

data/app/models/authorio/token.rb

@@ -4,5 +4,13 @@ module Authorio
     has_secure_token :auth_token
 
     validates_presence_of :scope, :client
+
+    before_create do
+      self.expires_at = Time.now + Authorio.configuration.token_expiration
+    end
+
+    def expired?
+      return expires_at < Time.now
+    end
   end
 end

data/app/views/authorio/auth/authorization_interface.html.erb

@@ -1,37 +1,33 @@
-<!DOCTYPE html>
-<html lang="en-GB">
-  <head>
-    <meta charset="utf-8">
-    <title>Authorio Login</title>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet"
-      href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
-      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
-      crossorigin="anonymous">
-    <%= stylesheet_link_tag "authorio/auth" %>
-  </head>
-  <body>
-    <div class="container authorio-auth">
-      <div class="row">
-        <div class="col-md-4">
-        </div>
-        <div class="col-md-4 auth-panel">
-          <h3>Authorio</h3>
-          <div class="client-row">
-            Authenticating with <span class="client"><%= params[:client_id] %>
-          </div>
-          <%= form_with(url: "authorize_user", method: :post) do |form| %>
-          <%= form.label(:url, "User URL") %>
-          <%= form.text_field(:url, value: @user_url, readonly: true) %>
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "Authorio Login" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Authorio</h3>
+      <div class="client-row">
+        Authenticating with <span class="client"><%= params[:client_id] %>
+      </div>
+      <%= form_with(model: @user, url: authorize_user_path(@user), method: :post) do |form| %>
+        <%= form.label(:url, "User URL") %>
+        <%= form.text_field(:url, value: params[:me], readonly: true) %>
+        <% unless @user_logged_in_locally %>
           <%= form.label(:password, "Password") %>
           <%= form.password_field(:password, autofocus: true) %>
-          <%= form.hidden_field(:client, value: params[:client_id]) %>
-          <%= form.submit("Sign in", class: 'btn btn-success') %>
+          <% if @rememberable %>
+            <%= label_tag(:remember_me, class: 'remember') do %>
+              <%= form.check_box :remember_me %>
+              <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
+            <% end %>
           <% end %>
+        <% end %>
+        <div class='auth-btn-row'>
+          <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>
+          <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
         </div>
-        <div class="col-md-4">
-        </div>
-      </div>
+      <% end %>
     </div>
-  </body>
-</html>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/layouts/authorio/main.html.erb

@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title><%= yield(:title) %></title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="stylesheet"
+    href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
+    integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
+    crossorigin="anonymous">
+
+  <%= stylesheet_link_tag    "authorio/application", media: "all" %>
+</head>
+<body data-no-turbolinks="true" data-turbolinks="false">
+
+<% flash.each do |key, value| %>
+      <div class="alert alert-warning">
+            <p><%= value %></p>
+      </div>
+<% end %>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -1,7 +1,9 @@
 Authorio::Engine.routes.draw do
 	get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
 	post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
-	post '/authorize_user', controller: 'auth', action: 'authorize_user'
+	resources :users do
+		post 'authorize', on: :member, to: 'auth#authorize_user'
+	end
 	get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
 	post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
 end

data/db/migrate/20210723161041_add_expiry_to_tokens.rb

@@ -0,0 +1,5 @@
+class AddExpiryToTokens < ActiveRecord::Migration[6.1]
+  def change
+    add_column :authorio_tokens, :expires_at, :datetime
+  end
+end

data/db/migrate/20210726164625_create_authorio_sessions.rb

@@ -0,0 +1,12 @@
+class CreateAuthorioSessions < ActiveRecord::Migration[6.1]
+  def change
+    create_table :authorio_sessions do |t|
+      t.references :authorio_user, null: false, foreign_key: true
+      t.string :selector
+      t.string :hashed_token
+      t.datetime :expires_at
+      t.timestamps
+    end
+  end
+end
+

data/lib/authorio/configuration.rb

@@ -1,12 +1,15 @@
 module Authorio
 	class Configuration
 
-		attr_accessor :authorization_endpoint, :token_endpoint, :mount_point
+		attr_accessor :authorization_endpoint, :token_endpoint, :mount_point, :token_expiration,
+			:local_session_lifetime
 
 		def initialize
 			@authorization_endpoint = "auth"
 			@token_endpoint = "token"
 			@mount_point = "authorio"
+			@token_expiration = 4.weeks
+			@local_session_lifetime = nil
 		end
 	end
 end

data/lib/authorio/engine.rb

@@ -1,14 +1,15 @@
 module Authorio
-  class Engine < ::Rails::Engine
+	class Engine < ::Rails::Engine
 		isolate_namespace Authorio
 
 		initializer "authorio.load_helpers" do |app|
-			ActionController::Base.send :include, Authorio::Helpers
+			Rails.application.reloader.to_prepare do
+				ActionView::Base.send :include, Authorio::TagHelper
+			end
 		end
 
 		initializer "authorio.assets.precompile" do |app|
 			app.config.assets.precompile += %w( authorio/auth.css )
 		end
-
-  end
+	end
 end

data/lib/authorio/exceptions.rb

@@ -1,5 +1,14 @@
 module Authorio
 	module Exceptions
 		class InvalidGrant < RuntimeError; end
+		class InvalidPassword < RuntimeError; end
+
+		class SessionReplayAttack < StandardError
+			attr_accessor :session
+
+			def initialize(session)
+				@session = session
+			end
+		end
 	end
 end

data/lib/authorio/version.rb

@@ -1,3 +1,3 @@
 module Authorio
-  VERSION = '0.8.1'
+  VERSION = '0.8.2'
 end

data/lib/generators/authorio/install/templates/authorio.rb

@@ -12,4 +12,13 @@ Authorio.configure do |config|
 
 	# The path for token requests
 	# config.token_endpoint = "token"
+
+	# How long tokens will last before expiring
+	# config.token_expiration = 4.weeks
+
+	# Enable local session lifetime to keep yourself "logged in" to your own server
+	# If set to eg:
+	#  config.local_session_lifetime = 30.days
+	# then you will only have to enter your password every 30 days. Default is off (nil)
+	# config.local_session_lifetime = nil
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorio
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.8.2
 platform: ruby
 authors:
 - Michael Meckler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-13 00:00:00.000000000 Z
+date: 2021-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -34,70 +34,70 @@ dependencies:
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: factory_bot_rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '11.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '11.0'
 description: Rails engine to add IndieAuth authentication endpoint functionality
@@ -113,22 +113,22 @@ files:
 - app/assets/config/authorio_manifest.js
 - app/assets/stylesheets/authorio/application.css
 - app/assets/stylesheets/authorio/auth.css
-- app/controllers/authorio/application_controller.rb
 - app/controllers/authorio/auth_controller.rb
-- app/controllers/authorio/helpers.rb
-- app/helpers/authorio/application_helper.rb
-- app/helpers/authorio/test_helper.rb
+- app/helpers/authorio/tag_helper.rb
 - app/jobs/authorio/application_job.rb
 - app/models/authorio/application_record.rb
 - app/models/authorio/request.rb
+- app/models/authorio/session.rb
 - app/models/authorio/token.rb
 - app/models/authorio/user.rb
 - app/views/authorio/auth/authorization_interface.html.erb
-- app/views/layouts/authorio/application.html.erb
+- app/views/layouts/authorio/main.html.erb
 - config/routes.rb
 - db/migrate/20210627230156_create_authorio_users.rb
 - db/migrate/20210627230416_create_authorio_requests.rb
 - db/migrate/20210707230416_create_authorio_tokens.rb
+- db/migrate/20210723161041_add_expiry_to_tokens.rb
+- db/migrate/20210726164625_create_authorio_sessions.rb
 - lib/authorio.rb
 - lib/authorio/configuration.rb
 - lib/authorio/engine.rb
@@ -138,11 +138,10 @@ files:
 - lib/generators/authorio/install/install_generator.rb
 - lib/generators/authorio/install/templates/authorio.rb
 - lib/tasks/authorio_tasks.rake
-homepage: https://rubygems.org/gems/authorio
+homepage: 
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://rubygems.org/gems/authorio
   source_code_uri: https://github.com/reiterate-app/authorio
 post_install_message: 
 rdoc_options: []

data/app/controllers/authorio/application_controller.rb

@@ -1,4 +0,0 @@
-module Authorio
-  class ApplicationController < ActionController::Base
-  end
-end

data/app/helpers/authorio/application_helper.rb

@@ -1,4 +0,0 @@
-module Authorio
-  module ApplicationHelper
-  end
-end

data/app/helpers/authorio/test_helper.rb

@@ -1,4 +0,0 @@
-module Authorio
-  module TestHelper
-  end
-end

data/app/views/layouts/authorio/application.html.erb

@@ -1,15 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <title>Authorio</title>
-  <%= csrf_meta_tags %>
-  <%= csp_meta_tag %>
-
-  <%= stylesheet_link_tag    "authorio/application", media: "all" %>
-</head>
-<body>
-
-<%= yield %>
-
-</body>
-</html>